Table of Contents
In December 2013 target shoppers got an unwelcoming holiday surprise. Its systems fell victim to hacking. The same month Target came out to report that more than 40 million credit card numbers had been lost to hackers. Moreover, the large retailer also reported that more than 70 million private data was also lost. Overall, the hackers made away with more than 11 GB of data. The news made headways, and many experts came out and pointed at Targets Business Model as having vulnerabilities that allowed for the hack to happen.
The business model of Target is mainly based on their Point of Sale (POS) system. POS is a system used by small and large retailers to record sales, make transactions and track inventory. In the case of Target and other large retailers; POS is the nerve system of their business. Without the POS businesses such as Target would still be using the outdated cash registers that don’t adequately track the movement of a product from the shelves to the customer (Radichel, 2014). POS can also be modified to perform a variety of other functions depending on the business needs. Through the use of POS Target was able to create value for their products and sell them effectively to their customers. Target offers a variety of products such as hair products, clothes, equipments and others. Although the POS is the nerve system of Targets business Model, it’s just part of the whole business system. A breakdown of Targets business model conforms to various parties and programs.
Targets business model is composed of three parties. Their suppliers, The Corporation [Target] and the customers. Targets interact with different vendors. Some vendors supply it with food, while others with equipment. However, all vendors that interact with the company do so via a vendor portal. In this case, hackers managed to gain entry into targets system using a third party. Investigations showed that the third part was a vendor who provided refrigeration services to Target. The vendor portal is protected by Microsoft System Centre Configuration Manager (SCCM) that deploys security patches and system updates. The vendor portal is connected to the POS system via Target’s network. The network provides for centralised authentication, domain name resolution and endpoint monitoring services throughout the network (Radichel, 2014). Target has numerous POS system that it uses to transact with their clients. As a customer swipes his credit card to pay for a product their credit numbers as saved in the network via the POS system. After a sell is made the POS updates the inventory automatically. The business model of Target is entirely dependent on the three main actors; Targets supplier, Target itself and customers.
Cyber Security Laws
In the United States there exist a few enacted cyber security laws. The laws already enacted only apply to some specific industries. The three main federal government cyber security laws in the United States are The Health Insurance Portability and Accountability Act (HIPAA) which was passed in 1996, the Gramm-Leach- Bliley Act that was passed in 2002 and the Homeland Security act that included the Federal Information Security Management Act (FISMA) (Charles, 2016). The three regulations give a mandate to federal agencies, financial institutions and health organizations to protect their information and system at all times. The law requires the development and implementation of principles, standards and guidelines for Information Security. Another federal law is the Cyber Enhancement Act which was passed in 2014. The law allows for an active partnership between the public-private industries to better information sharing and strengthen cyber security.
On the other hand, State laws include rules such as the Notice of Security Breach which was passed in 2003 by states in the U.S. The breach requires that a company should always make any security breach known to the public (Charles, 2016). Another vital state law is the Computer Fraud Abuse Act that prohibits unauthorised computer access. On the international stage, there are also cyber security laws that are in place. One is the Budapest Convention on Cyber Security Act that was passed in 2001. The legislation seeks to prosecute all cybercrimes on a global scale regardless of the territory.
Cyber Law within the organization
Target has set cyber security policies that are in place to protect its information system. One such policy is the contract compromise policy. This policy was formed after the 2013 breach. Target had little control over the eco-system of the third party vendor when the breach occurred. However, with the new policy, Target requires all its vendors and contractors to apply extra layers of security in their systems. Contractors are also required to pay for a license for malware protection. Furthermore, they are also needed to incorporate security measures such as two-step verifications. Another policy that Target uses is log management policies. The policy requires random reviews of source codes and automated scans in the network. Moreover, it allows for the organization security experts to process; a speedy forensic audit at any time without any rank restrictions. The policy also provides necessary resources to the personal in Target to prevent exfiltration of stolen data (Poulin, 2014).
How to investigate and handle cyber related crimes
There are a variety of ways to investigate cybercrimes; however, the investigation is dependent on whether it’s internet-based or an internal hack. If it’s internet-based the first act is always to identify the Internet Protocol address. A company can also make use of court order to subpoena any third party involved in the incidence. This way the company will be able track the movement of stolen data to get the real culprits. Furthermore, to investigate an incidence a company should also undertake accurate and fast forensic audits to pinpoint the stolen data before they are sold on the black market. If the hack occurred via a foreign device. The device should be located on the server and analysed to get the original data of the malware. Any breach of data should be made public. Making the breach public ensures that all parties that become compromised from the offence are well aware of the situation. Furthermore, the company also need to ensure all guilty individuals who are found are prosecuted according to existing cyber and criminal laws.
Impacts of cybercrime
Cybercrime can have a varying impact on an organization information technology structure. It can lead to exposure of existing vulnerabilities in a network. Such vulnerabilities can be used by other hackers in the future to try and access the organization systems. Cybercrime offers opportunities to identity thieves who end up stealing crucial personal data from an organization customers. Furthermore, it exposes weakness in a system leads forces a company to upgrade its network.
Information Security measures
To safeguard an organization security infrastructures, an organization should form various security measures. One measure is the Defence in Depth. The Defence in Depth provides multiples layers of security to prevent access to an organization system. This approach is different from the traditional method of only offering one layer of protection. Companies use multiples layers of data encryption to prevent adversaries from gaining access to the system. The organization should also make use of Denial of Service attack (DoS). DoS prevents the unauthorized access to data by any party in a system. Organizations should also make use of critical controls that will ensure in-depth scrutiny of the network system. The critical controls include an inventory of authorised and unauthorised devices. Furthermore an inventory of authorised and unauthorised softwares (Radichel, 2014).
Information Systems Security Measures
The current organization information systems security measures include: Point to point encryption (P2PE). P2PE encryption allows the organization to encrypt the pin data on the cards. When the card is a swipe, the cryptogram data of the card goes through to a payment HSM that decrypts then re-encrypts the card (Radichel, 2014). This way the pin and the card number of the client remain secured. The organization also implements controls that secure the configuration of hardware. Furthermore, the controls in place allow only authorised software to run on the network. Target has also put in place. Web applications software security to help protect its internet protocol. Patching vulnerabilities in the system places Target in an excellent place to prevent any future attacks. Target is also poised to conduct penetration testing on the network. Such test will help uncover any existing weakness in their system.
Cyber laws to protect the organizations data
The current cyber laws that are in place both federal and organizational policies will ensure that the organization’s data is protected from outside intrusion. The contract compromise policy of Target will ensure that both the company and its vendors have updated system and take the necessary measures to avoid any data breach. The log management policy of the company will ensure that random checks on the company’s network will flash out any hidden malware or vulnerabilities. The Computer Fraud Abuse act which is a state law will ensure that all attempted intrusions can be charged under law. The rules and measures put in place by Target allows for the company to put in place a fully secure system to run its business.
- Charles, A. (2016, March 4). RSA Conference . Retrieved from RSA: https://www.rsaconference.com/writable/presentations/file_upload/law-w04-global_cybersecurity_laws_regulations_and_liability.pdf
- Poulin, C. (2014). What Retailer Need to Learn from the Target Breach to Protec against Similar Attacks. Security Intelligence, 112- 119.
- Radichel, T. (2014). Case Study: Critical Controls that Could Have Prevented Target Breach. New York: SANS Institute.